The research
Why we built it this way, and how it stacks up.
The security choices in BrightPath are not preferences. They follow published standards from NIST, OWASP, and Apple, and the privacy duties set out in Ontario’s PHIPA and the HIPAA Security Rule. Here is the evidence, and an honest comparison with the tools clinics already use.
The standards
Encryption done the way the field says to do it.
Each of these is a documented practice, not a marketing line. Open any source and check it.
AES-256-GCM is a named federal standard, not a home recipe
NIST Special Publication 800-38D specifies Galois/Counter Mode as authenticated encryption: one operation that gives confidentiality, integrity, and authenticity together. BrightPath encrypts every protected field with exactly this mode.
NIST SP 800-38DIt matches OWASP’s first choice for stored data
The OWASP Cryptographic Storage Cheat Sheet recommends AES with a 256-bit key in an authenticated mode such as GCM for sensitive data at rest, and says encryption should sit as a layer behind access control. BrightPath’s design maps onto that point for point.
OWASP Cryptographic StorageA fresh nonce every time is the property that keeps GCM safe
NIST requires the nonce to be unique for the entire life of a key; reusing one breaks GCM completely. BrightPath generates a new random nonce for every single field it encrypts, which is why a value encrypted twice never looks the same.
NIST SP 800-38D (PDF)Binding context to ciphertext stops substitution attacks
Associated data is authenticated but not encrypted, and it is bound into the tag so a ciphertext cannot be moved to another context and silently decrypt. AWS calls its version an encryption context; BrightPath binds scope, clinic, document, and field into every envelope.
AWS Encryption SDKDevice key storage is backed by hardware, not app storage
Modern mobile devices store secrets with hardware-backed keys in a dedicated secure subsystem, isolated from the main processor and never exposed to the operating-system kernel. BrightPath keeps its content keys in that secure storage, so the root of the key hierarchy is not sitting in plain app storage.
Apple Platform SecurityEncryption is a second wall, on purpose
OWASP describes defense in depth as multiple independent controls, so no single failure is total. BrightPath treats field encryption as a layer behind authentication and access rules, so a child’s information stays sealed even if a rule is misconfigured or a database is copied.
OWASP security principlesThe law
Built around the duties that actually apply.
BrightPath serves Ontario clinics first, so PHIPA is the reference point, with the HIPAA Security Rule as the framework for US contexts.
PHIPA sets a reasonable-safeguards duty
Ontario’s Personal Health Information Protection Act, s.12(1), requires custodians to take reasonable steps to protect personal health information against theft, loss, and unauthorized use, and to protect records from unauthorized copying or modification. Encryption, access control, and audit logging are the concrete measures that answer that duty.
PHIPA s.12 (CanLII)PHIPA requires telling people when data is compromised
A custodian must notify affected individuals at the first reasonable opportunity, and notify Ontario’s privacy commissioner in defined breach circumstances. Minimizing stored readable data and encrypting what remains reduces both the chance and the severity of a notifiable breach.
IPC OntarioPHIPA expects a public statement of safeguards
Custodians must have and make available a written statement describing the administrative, technical, and physical safeguards they use, and how a person can access or correct their records. A plain-language security page and privacy policy are part of meeting that expectation.
Guide to PHIPA (IPC)HIPAA treats encryption as addressable, which is not optional
Under the HIPAA Security Rule, encrypting stored and transmitted ePHI is an addressable specification: an entity must implement it, or document why not and use an equivalent measure. Because BrightPath encrypts by default, there is no alternative to justify.
45 CFR 164.312 (eCFR)Encrypted PHI can fall inside the breach safe harbor
The HIPAA Breach Notification Rule applies to unsecured PHI. PHI encrypted to the HHS standard is treated as secured, so a lost or stolen device generally does not trigger breach notification, provided the key was not also lost. This is one of the strongest arguments for encrypting by default.
HHS Breach NotificationA signed agreement is still required, and we say so
Where a vendor handles PHI, HIPAA requires a business associate agreement, and Ontario custodians need a written safeguards agreement with their service providers. Technical controls reduce exposure but do not replace those contracts. BrightPath is built to enter them, not to skip them.
HHS Business Associate ContractsHow we compare
Honest about where we lead, and where we do not.
Competitor details are drawn from each vendor’s own public security page, cited in the sources below, and reflect what those pages stated at the time of writing. BrightPath is newer and smaller than these products, so it leads on engineering specifics while honestly lacking the third-party audits some incumbents hold.
| Vendor | Encryption in transit | Encryption at rest | Client-side, per-field encryption | Keys the vendor cannot read | Independent audit (SOC 2 / HITRUST) | Hosting |
|---|---|---|---|---|---|---|
| BrightPaththis app | TLS | AES-256-GCM, on top of cloud at-rest | Yes, AES-256-GCM per field | Yes, keys held on the device | Not yet, and we do not pretend otherwise | Google Cloud |
| CentralReach | SSL / TLS | “Encryption of data” (algorithm not published) | Not published | Not described | SOC 2 + HIPAA, verified by BDO | AWS + Azure |
| Rethink | TLS 1.2 | AES-256, database level | Not published | Not described | HITRUST CSF | Azure |
| Motivity | SSL / TLS | “Data encryption” (algorithm not published) | Not published | Not described | SOC 2 Type II | Azure |
| Catalyst / Ensora | SSL / HTTPS | 256-bit AES via AWS KMS | Not published | Not described | Not published for the ABA product | AWS |
The context
A field that needs better tools, not more of them.
of BCBAs currently use data software to help set ABA service hours, room for tools that actually reduce the load.
ABA Matrixof a BCBA’s time goes to direct client care; documentation and reports eat much of the rest.
ABA MatrixSources
Everything, with a link.
- 01NIST SP 800-38D — AES-GCM and GMAC
- 02OWASP Cryptographic Storage Cheat Sheet
- 03OWASP security principles (defense in depth)
- 04Apple Platform Security — the Secure Enclave
- 05Apple Platform Security — Keychain data protection
- 06AWS Encryption SDK — concepts
- 07Ontario PHIPA (CanLII)
- 08IPC Ontario — health privacy rights
- 09HIPAA Security Rule — 45 CFR 164.312 (eCFR)
- 10HHS — Breach Notification Rule
- 11HHS — Business Associate Contracts
- 12CentralReach — data security
- 13Rethink Behavioral Health — infosec
- 14Motivity — security
- 15Ensora Health (Catalyst / DataFinch) — security
- 16Stax — ABA therapy market overview
- 17ABA Matrix — ABA trends 2026